ISO 22301: The Business Continuity Standard Explained Simply

Measuring up to the ISO 22301 business continuity management standard is no small feat. This 30-page document developed by the ISO Technical Committee in 2012 is considered the touchstone of business continuity standards for all types of companies (although there are specialized guidelines such as the FFIEC business continuity program standard for financial institutions or NIST 800 for information technology). If your business continuity program is performing at this level, first of all—congratulations, it’s quite an achievement! More importantly, though, the strength of your program almost guarantees your business will survive a crisis should one ever occur.

The purpose of ISO 22301 is to provide guidelines on how to set up and manage a high-performing business continuity management system (BCMS). It essentially dictates how all the elements of a program should work together to ensure your business can continue operating at its normal level following a disruption, so that you can protect your brand as well as the interests of your key stakeholders (including your customers).

It is one standard among many; in fact, it’s smart for companies to use more than one. (The various standards are somewhat different; the National Fire Protection Act 1600, for example, puts forth more nuts-and-bolts directives than ISO 22301, which measures at a more strategic level.) And how you apply the standard is totally up to you: either use it at its highest level or determine a more moderate approach that still provides an adequate level of protection for your business. That decision will be determined in part by the nature of your business: If your industry is governed by strict legal or regulatory requirements for business continuity, then implement the standard at the highest level you possibly can.

But no matter how you choose to implement ISO 22301 as your preferred business continuity management standard, do so by formally adopting it and making it the basis for the operation of your BCMS. Having a clear understanding among all stakeholders ensures a greater level of commitment—and makes it more difficult to veer off course.

Create a business recovery plan right the first time with this free downloadable guide that includes sample recovery checklists and the four disruptions every company should plan for.

Let’s take a closer look at the 10 main sections of ISO 22301, in layman’s terms.

ISO 22301 Business Continuity Management Standards: 10 Sections

Sections 1-3 Overview

The first three sections of ISO 22301 mainly serve to provide context about the standard itself and its overall purpose. Briefly, they are as follows:

• Section 1, scope, outlines what the standard is and who it applies to. It is applicable to all types of organizations that want to implement a solid business continuity program and ensure conformity to a proven standard.
• Section 2, normative references, are documents that support and clarify the standard (none are listed; you can essentially skip this section).
• Section 3, terms and definitions, explains key terms used within the standards. It’s important to understand them because some may mean different things here than they do elsewhere.

Section 4: Context

The standard really begins here, with how to start evaluating your program. The purpose of this section is to get you thinking about your business and understand—realistically—what it might need in the event of a disruption.

• 4.1—Understand your organization and its unique context. Consider the purpose of your organization, what it does, and your management’s risk tolerance.
• 4.2—Understand the needs and expectations of parties associated with your company, both internal and external. Also be familiar with any specific legal and regulatory requirements associated with your organization and how they impact your BCMS.
• 4.3—Consider the scope of the business continuity management system you’re planning to implement. Define which parts of the organization will be covered by the program and which will not; do the same for people, products, and services.

Section 5: Leadership

A business continuity program is only as good as the level of management support it receives. This section calls your attention to the necessary elements that govern a program and ensures it has the support it needs to succeed.

• 5.1—Is the management team committed to the program? Do they participate in overseeing the process on a regular basis?
• 5.2—Have you established a business continuity policy that governs the program? This sets the framework for the program’s objectives.
• 5.3—Have you defined roles and responsibilities for those associated with the program? Who’s in charge, and what are their responsibilities? Have the roles been officially assigned and communicated?

Section 6: Planning

This section requires you to revisit the issues identified in section four. Understanding your company as a whole is necessary for planning the appropriate strategies and actions.

• 6.1—Identify the risks associated with your company based on what it is and does.
• 6.2—Identify business continuity objectives and create plans to address them.
• 6.3—Make sure the objectives are consistent with the policy you’ve developed. Take into account, for instance, the minimal level of products and services you need to have in place following a disruption.
• 6.4—Outline the parties responsible for carrying out the plan. (Some of this may have been defined in section 5.)

Section 7: Support

This section outlines the building blocks a plan needs in order to work. Something as simple as making sure people know about the plan could make or break its success.

• 7.1 —Define the resources you will need to implement your plans. Consider internal and external resources you will need to have in place on an ongoing basis.
• 7.2—Ensure the parties responsible for carrying out the plan are competent. Do they have the right training, and are they capable of maintaining the program?
• 7.3—Ensure global awareness of the plan. Everyone in the company should know about the plan and their role (if any), including what is expected of them should the plan be carried out.
• 7.4—Define methods of crisis communication, including who is authorized to communicate, what should be communicated, when, and with whom.
• 7.5—Document your plan information. Documentation should be standardized for easy maintenance and regular updating.
• 7.6—Maintain control of your plan information by making sure it is stored properly, secured (so that the right people have access to it), and accessible.

Section 8: Operation

Section 8 is where much of the “meat” of ISO 22301 lies—it tells what you need to do to create a working program.

• 8.1—Define the elements of operational planning and control your company will utilize. Know the processes you need to implement and the criteria behind them (risk assessment, a business impact analysis, etc.).
• 8.2—Conduct a complete BIA and risk assessment. (See our Business Impact Analysis Guide.)
• 8.3—Develop a business continuity strategy.
  • Put plans in place to protect your operations. Determine strategy based on the importance/criticality of a business unit and its recovery time.
  • Identify the resources needed to carry out the strategy—people, information, facilities, transportation, money.
  • Determine controls you will put into place to protect, plan, and mitigate risk.
• 8.4—Develop business continuity management plans for the following:
  • Establish an incident response structure that ensures high-level people in your company can strategically direct the response to an incident and delegate tasks.
  • Implement a warning and communication process. Do you have a way to monitor potential threats for advance warning? (An approaching nor’easter, for instance, warrants special attention.) How will you communicate with internal and external parties about an impending or actual event?
  • Develop thorough business continuity procedures.
• 8.5—Test regularly and consistently according to the scope of your objectives. A highly regulated industry needs rigorous testing compared to other industries.

Section 9: Performance evaluation

Evaluating your business continuity program is the only way to truly know if it will work; are you doing what’s required to measure its performance?

• 9.1—Monitor, measure, analyze, and evaluate your program. Determine what needs to be monitored or measured and the methods you’ll use to do that, as well as how frequently you’ll do it. Set up the right performance metrics to ensure you’re conducting your program properly.
• 9.2—Do an internal audit regularly to show if the system is performing. If it’s not performing as needed, how can you fix it?
• 9.3—Conduct management reviews. Top management should review the system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Typically this is an area where many companies fall short.

Section 10: Continual improvement

You must demonstrate a commitment to continually improving your plan over time, both in resolving outstanding issues and in keeping it up-to-date as your business changes.

• 10.1—If metrics reveal you have problems in the program, identify them and fix them.
• 10.2—Strive for continual improvement.

Want help meeting the ISO standard for business continuity?

Meeting the ISO 22301 business continuity management standard takes discipline, time, and resources—as well as the ability to accurately develop and evaluate effective strategies. The BCMMetrics™ suite of business continuity software can help.

The BIA On-Demand (BIA^OD) tool gives you everything you need to conduct a complete business impact analysis at the company, division, or department level. Compliance Confidence (C²) measures your business continuity program with a series of comprehensive questions and a clear, FICO-like scoring system. And the Residual Risk (R²) tool can help quantitatively identify your residual risk and evaluate it. Each of these tools are aligned with multiple major industry standards—including ISO 22301. They’re easy to use and give you the opportunity to perform unlimited self-assessments of your enterprise BCM program. To find out more about how it works, schedule a demo today.

To ensure consistency and completeness as you develop your program, we’ve designed an ISO 22301 checklist. If you can verify that your program has each of the following elements associated with Sections 5-10 of the standard, your company does indeed have the organized and thorough continuity program outlined in ISO 22301. You can also use it as an ISO 22301 audit checklist if your company is preparing to undergo an official certification process. *The starred items are where most companies fall short, in our experience, so pay special attention to your efforts in those areas.

Get It Done: An ISO 22301 Checklist

1.  Leadership, Section 5 Requirements

You have a management oversight committee in place, along with a process that dictates how the committee will oversee the program from the time of creation all the way through implementation, maintenance, and the actual carrying out of plans.

Your policies and objectives align with the requirements of your organization. If you have more intense legal/regulatory requirements, or customer and stakeholder requirements, then your policies must match your obligations.

2.  Planning, Section 6 Requirements

You have documentation showing that you understand your company’s requirements for a business continuity plan. It should define the following and note how each contributes to the development of your business continuity management system:

• The requirements of your company.
• The products/services you provide.
• The requirements of your stakeholders.
• Your legal/regulatory requirements.

3.  Support, Section 7 Requirements

You have a document management system that includes all the supporting documents related to every stage of your business continuity management system, from training to practice exercises. The system you use manages and organizes relevant documents, makes it easy to refer to them, and makes them accessible to the right people.

You have a good documentation maintenance program that provides a schedule for updating key components of the program, such as the Business Impact Analysis, recovery plans, and policies and objectives.

*You have a training program in place as well as global awareness of the program and its recovery processes. (Global awareness includes employees at all levels of your company—not just senior-level personnel or those who are actively involved in implementing the processes.)

You have a communication system in place that ensures ongoing communication with interested parties and stakeholders, before, during, and after an event. This process should also include communication as your program is developing (not just when an event occurs), for instance, interaction or consultation with regulatory bodies.

4.  Operation, Section 8 Requirements

*You have performed and documented a risk and threat assessment to determine the risks associated with your business and your controls to protect them. (For assistance in evaluating residual risk and help in reducing it, try the Residual Risk online assessment tool.)

You have performed a complete Business Impact Analysis (BIA) to determine the criticality of your business operations based on the processes they perform, and to identify the dependencies that must be in place for those processes to run. (Use our comprehensive Business Impact Analysis (BIA^OD) tool for a simple yet thorough way to identify your critical business processes and their system/resource requirements.)

*You have designed appropriate business continuity strategies and the requirements for each based on what you need to recover and when you need to recover it, and you’ve documented them (i.e., outsourcing, alternate sites, splitting up call centers, etc.). Each strategy is based on your BIA and your risk/threat assessment.

You have created the following business recovery plans depending on the requirements of your company, the strategy requirements, and the BIA:

• A crisis management plan (sometimes called an incident management plan) that directs the crisis management team in how to assess and manage an event and the key players involved in carrying out recovery plans.
• Critical business recovery plans for relevant business units.
• Critical IT disaster recovery plans.

You have a program of regularly scheduled testing that is appropriate based on the requirements of the company and the findings of the BIA. You also have a process to document test results.

5.  Performance Evaluation, Section 9 Requirements

You have documented management reviews to confirm ongoing management review and appraisal of the program.

You have documented results of regularly scheduled internal or external audits of your program. (Internal audits tend to be less effective because of a lack of objectivity; an external third-party review of your program every two years is recommended.)

You have processes in place to measure and evaluate the performance of the program, including specific metrics for compliance and residual risk. You know the ROI of your program and whether it’s getting the intended results. (To easily assess your program compliance against industry standards, try the cloud-based self-assessment tool Compliance Confidence (C²). To assess residual risk try our Residual Risk (R²) tool.)

6.  Continual Improvement, Section 10 Requirements

*You have a process designed to identify weaknesses in your program (either through testing or measuring) and take corrective action to address them; you also have those processes and actions documented.

You have a post-incident review process in place. You add your findings to a knowledge base and use them to improve your future plans.

Hit Every Item On Your ISO 22301 Checklist

All of our BCMMetrics™ tools were designed with standards like the ISO 22301 in mind. Because they’re intuitive self-assessment tools, you can use each of them—Business Impact Analysis (BIA^OD), Residual Risk (R²), and Compliance Confidence (C²)—to do your own due diligence so you know where you stand in preparation for an ISO 22301 or related audit of your BCM program. All of our tools are regularly reviewed and updated in response to changes in the industry and regulatory landscape.

Schedule a free demo to see the tools in action, and find out where your program stands today.